The temporary 2FA codes are generated based on several variables, including a secret seed which is typically encoded in a QR code that the user scans with a 2FA app such as Google Authenticator.

Vigo’s tests showed that the request made when a QR code image was displayed to the user contained the login hash used by LastPass for authentication. In fact, the 2FA secret seed had been derived from the user’s password, which defeated the entire purpose of 2FA protection as the attacker presumably already possesses the password.

While determining the URL of the QR code was not difficult, a hacker needed to be authenticated for the attack to work. However, exploiting a cross-site request forgery (CSRF) vulnerability could address this problem. Getting a logged-in user to click on a specially crafted link that exploits a CSRF flaw could have allowed an attacker to obtain the QR code image.

According to Vigo, an attacker could have also leveraged cross-site scripting (XSS) vulnerabilities on popular websites to avoid having the victim visit his malicious site, which would be more likely to raise suspicion.

The researcher also found a simple way to disable 2FA using a CSRF vulnerability. As with all CSRF attacks, the hacker needed to get the victim to visit a malicious website.

LastPass was informed about these vulnerabilities on February 7 and immediately started working on patches. The company addressed the CSRF flaws, added a security mechanism for checking the origin of a QR code request, and eliminated the use of password hashes for the secret seed.

In a blog post published on Thursday, LastPass informed users that they don’t need to take any action as all the fixes have been done on the server side. The company also pointed out that exploiting the flaws required a combination of factors that made attacks more difficult.

“To exploit this issue an attacker would have needed to take several steps to bypass Google Authenticator,” LastPass said. “First, the attacker would have had to lure a user to a nefarious website. Second, the user would have to be logged in to LastPass at the time of visiting the malicious site.”

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.